Unable to install plugins from online source nu.novell.com on OES

  • 7021183
  • 04-Aug-2017
  • 09-Aug-2017


iManager 2.7.X
OES 2015
OES 11


When attempting to install plugins from Novell Downloads (nu.novell.com), plugin install never progresses or completes.

/var/opt/novell/tomcat6/logs/catalina.out file shows the following error:

NetIQ JClient 2.08.0503-2.8.503. (c) 2013 NetIQ Corporation and its affiliates. All Rights Reserved.
DownloadAndInstall..124 com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal
 cause is: 
The certificate issued by CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  is not trusted; internal cause is: 
        java.security.cert.CertPathValidatorException: Certificate chaining error


Download the certificate specified in the catalina.out file from https://www.digicert.com/digicert-root-certificates.htm

For example:

DigiCert Global Root CA
DigiCert High Assurance EV Root CA

Copy the downloaded certificate to the OES server.  For this example, the certificate was saved as: DigiCertHighAssuranceEVRootCA.crt

Install the certificate into the cacerts file used by iManager using the following command:

keytool -import -alias DigiCert -file /tmp/DigiCertHighAssuranceEVRootCA.crt -keystore /var/opt/novell/tomcat6/conf/cacerts

When prompted:  Trust this certificate? [no]:   Type:  yes  then press enter

When prompted:  Enter keystore password:  Type: changeit

Restart iManager:  rcnovell-tomcat6 restart


The root CA for the DigiCert certificate used by nu.novell.com has not been imported into the certificate store file </var/opt/novell/tomcat6/conf/cacerts> on OES.

Importing the certificate will allow java to trust the certificate used by nu.novell.com and download the npms for installation.

Additional Information

Note:  Adding the DigiCert High Assurance EV Root CA certificate will cause all certificates issued by this CA to be trusted.